



<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#FFF">
  <link rel="apple-touch-icon" sizes="180x180" href="/imageshttps:/cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main/blog-img/7b8cfd64db3c412194fc64cb710e594b.jpeg">

<link rel="icon" type="image/ico" sizes="32x32" href="/images/favicon.ico">
  <meta http-equiv="Cache-Control" content="no-transform">
  <meta http-equiv="Cache-Control" content="no-siteapp">


<link rel="alternate" type="application/rss+xml" title="Canary's Blog" href="https://zephyr-cyber.github.io.git/rss.xml" />
<link rel="alternate" type="application/atom+xml" title="Canary's Blog" href="https://zephyr-cyber.github.io.git/atom.xml" />
<link rel="alternate" type="application/json" title="Canary's Blog" href="https://zephyr-cyber.github.io.git/feed.json" />
<link rel="alternate" type="application/json" title="Canary's Blog" href="https://cdn.jsdelivr.net/npm/font-awesome/css/font-awesome.min.css" />
<script src="/js/live2d-widget/autoload.js?v=0.2.5"></script>

<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Mulish:300,300italic,400,400italic,700,700italic%7CFredericka%20the%20Great:300,300italic,400,400italic,700,700italic%7CNoto%20Serif%20JP:300,300italic,400,400italic,700,700italic%7CNoto%20Serif%20SC:300,300italic,400,400italic,700,700italic%7CInconsolata:300,300italic,400,400italic,700,700italic&display=swap&subset=latin,latin-ext">

<link rel="stylesheet" href="/css/app.css?v=0.2.5">

  

<link rel="canonical" href="https://zephyr-cyber.github.io.git/pwn/">



  <title>
pwn 学习 (1) |
Canary = Canary's Blog</title>
<meta name="generator" content="Hexo 5.4.0"></head>
<body itemscope itemtype="http://schema.org/WebPage">
  <div id="loading">
    <div class="cat">
      <div class="body"></div>
      <div class="head">
        <div class="face"></div>
      </div>
      <div class="foot">
        <div class="tummy-end"></div>
        <div class="bottom"></div>
        <div class="legs left"></div>
        <div class="legs right"></div>
      </div>
      <div class="paw">
        <div class="hands left"></div>
        <div class="hands right"></div>
      </div>
    </div>
  </div>
  <div id="container">
    <header id="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="inner">
        <div id="brand">
          <div class="pjax">
          
  <h1 itemprop="name headline">pwn 学习 (1)
  </h1>
  
<div class="meta">
  <span class="item" title="Created: 2022-09-16 22:18:59">
    <span class="icon">
      <i class="ic i-calendar"></i>
    </span>
    <span class="text">Posted on</span>
    <time itemprop="dateCreated datePublished" datetime="2022-09-16T22:18:59+08:00">2022-09-16</time>
  </span>
  <span class="item" title="Symbols count in article">
    <span class="icon">
      <i class="ic i-pen"></i>
    </span>
    <span class="text">Symbols count in article</span>
    <span>1.3k</span>
    <span class="text">words</span>
  </span>
  <span class="item" title="Reading time">
    <span class="icon">
      <i class="ic i-clock"></i>
    </span>
    <span class="text">Reading time</span>
    <span>1 mins.</span>
  </span>
</div>


          </div>
        </div>
        <nav id="nav">
  <div class="inner">
    <div class="toggle">
      <div class="lines" aria-label="Toggle navigation bar">
        <span class="line"></span>
        <span class="line"></span>
        <span class="line"></span>
      </div>
    </div>
    <ul class="menu">
      <li class="item title"><a href="/" rel="start">Canary</a></li>
    </ul>
    <ul class="right">
      <li class="item theme">
        <i class="ic i-sun"></i>
      </li>
      <li class="item search">
        <i class="ic i-search"></i>
      </li>
    </ul>
  </div>
</nav>

      </div>
      <div id="imgs" class="pjax">
        <ul>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/51227-projectSEKAI-KiritaniHaruka-PC-Wallpaper.jpg"></li>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/pic1.jpg"></li>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/pic7.jpg"></li>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/53967-LoveLive_Nijigasaki-MifuneShioriko-PC-Wallpaper.jpg"></li>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/pic6.jpg"></li>
          <li class="item" data-background-image="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/54237-BanG_Dream-ShirasagiChisato-PC-Wallpaper.jpg"></li>
        </ul>
      </div>
    </header>
    <div id="waves">
      <svg class="waves" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 24 150 28" preserveAspectRatio="none" shape-rendering="auto">
        <defs>
          <path id="gentle-wave" d="M-160 44c30 0 58-18 88-18s 58 18 88 18 58-18 88-18 58 18 88 18 v44h-352z" />
        </defs>
        <g class="parallax">
          <use xlink:href="#gentle-wave" x="48" y="0" />
          <use xlink:href="#gentle-wave" x="48" y="3" />
          <use xlink:href="#gentle-wave" x="48" y="5" />
          <use xlink:href="#gentle-wave" x="48" y="7" />
        </g>
      </svg>
    </div>
    <main>
      <div class="inner">
        <div id="main" class="pjax">
          
  <div class="article wrap">
    
<div class="breadcrumb" itemscope itemtype="https://schema.org/BreadcrumbList">
<i class="ic i-home"></i>
<span><a href="/">Home</a></span>
</div>

    <article itemscope itemtype="http://schema.org/Article" class="post block" lang="en">
  <link itemprop="mainEntityOfPage" href="https://zephyr-cyber.github.io.git/pwn/">

  <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
    <meta itemprop="image" content="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/16f8bec9f7fbb60bf0c3a1d2fa12affd.jpeg">
    <meta itemprop="name" content="cheuncey Zhang">
    <meta itemprop="description" content="我用回忆温暖了想你的每一刻, 刻意练习">
  </span>

  <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
    <meta itemprop="name" content="Canary's Blog">
  </span>

  <div class="body md" itemprop="articleBody">
    

    <h1 id="pwn学习1"><a class="anchor" href="#pwn学习1">#</a> pwn 学习 1</h1>
<p>一张汇编图片<br />
<img data-src="/img/PWN/huibian1.jpg" alt="avatar" /></p>
<p>栈帧结构</p>
<h1 id="fig-1函数调用发生和结束时调用栈的变化"><a class="anchor" href="#fig-1函数调用发生和结束时调用栈的变化">#</a> Fig 1. 函数调用发生和结束时调用栈的变化</h1>
<p>esp 用来存储函数调用栈的栈顶地址，在压栈和退栈时发生变化。ebp 用来存储当前函数状态的基地址，在函数运行时不变，可以用来索引确定函数参数或局部变量的位置。eip 用来存储即将执行的程序指令的地址，cpu 依照 eip 的存储内容读取指令并执行，eip 随之指向相邻的下一条指令，如此反复，程序就得以连续执行指令。<br />
下面让我们来看看发生函数调用时，栈顶函数状态以及上述寄存器的变化。变化的核心任务是将调用函数（caller）的状态保存起来，同时创建被调用函数（callee）的状态<br />
<img data-src="/img/PWN/fig1.jpg" alt="avatar" /></p>
<h1 id="fig-2将被调用函数的参数压入栈内"><a class="anchor" href="#fig-2将被调用函数的参数压入栈内">#</a> Fig 2. 将被调用函数的参数压入栈内</h1>
<p>将被调用函数的参数压入栈内<br />
首先将被调用函数（callee）的参数按照逆序依次压入栈内。如果被调用函数（callee）不需要参数，则没有这一步骤。这些参数仍会保存在调用函数（caller）的函数状态内，之后压入栈内的数据都会作为被调用函数（callee）的函数状态来保存。<br />
<img data-src="/img/PWN/fig2.jpg" alt="avatar" /></p>
<h1 id="fig-3将被调用函数的返回地址压入栈内"><a class="anchor" href="#fig-3将被调用函数的返回地址压入栈内">#</a> Fig 3. 将被调用函数的返回地址压入栈内</h1>
<p>然后将调用函数（caller）进行调用之后的下一条指令地址作为返回地址压入栈内。这样调用函数（caller）的 eip（指令）信息得以保存。<br />
<img data-src="/img/PWN/fig3.jpg" alt="avatar" /></p>
<h1 id="fig-4将调用函数的基地址ebp压入栈内并将当前栈顶地址传到-ebp-寄存器内"><a class="anchor" href="#fig-4将调用函数的基地址ebp压入栈内并将当前栈顶地址传到-ebp-寄存器内">#</a> Fig 4. 将调用函数的基地址（ebp）压入栈内，并将当前栈顶地址传到 ebp 寄存器内</h1>
<p>再将当前的 ebp 寄存器的值（也就是调用函数的基地址）压入栈内，并将 ebp 寄存器的值更新为当前栈顶的地址。这样调用函数（caller）的 ebp（基地址）信息得以保存。同时，ebp 被更新为被调用函数（callee）的基地址。<br />
<img data-src="/img/PWN/fig4.jpg" alt="avatar" /></p>
<h1 id="fig-5将被调用函数的局部变量压入栈内"><a class="anchor" href="#fig-5将被调用函数的局部变量压入栈内">#</a> Fig 5. 将被调用函数的局部变量压入栈内</h1>
<p>再之后是将被调用函数（callee）的局部变量等数据压入栈内。。<br />
<img data-src="/img/PWN/fig5.jpg" alt="avatar" /></p>
<h1 id="fig-6将被调用函数的局部变量弹出栈外"><a class="anchor" href="#fig-6将被调用函数的局部变量弹出栈外">#</a> Fig 6. 将被调用函数的局部变量弹出栈外</h1>
<p>在压栈的过程中，esp 寄存器的值不断减小（对应于栈从内存高地址向低地址生长）。压入栈内的数据包括调用参数、返回地址、调用函数的基地址，以及局部变量，其中调用参数以外的数据共同构成了被调用函数（callee）的状态。在发生调用时，程序还会将被调用函数（callee）的指令地址存到 eip 寄存器内，这样程序就可以依次执行被调用函数的指令了。<br />
看过了函数调用发生时的情况，就不难理解函数调用结束时的变化。变化的核心任务是丢弃被调用函数（callee）的状态，并将栈顶恢复为调用函数（caller）的状态。<br />
首先被调用函数的局部变量会从栈内直接弹出，栈顶会指向被调用函数（callee）的基地址。<br />
<img data-src="/img/PWN/fig6.jpg" alt="avatar" /></p>
<h1 id="fig-7"><a class="anchor" href="#fig-7">#</a> Fig 7.</h1>
<p>将调用函数（caller）的基地址（ebp）弹出栈外，并存到 ebp 寄存器内<br />
然后将基地址内存储的调用函数（caller）的基地址从栈内弹出，并存到 ebp 寄存器内。这样调用函数（caller）的 ebp（基地址）信息得以恢复。此时栈顶会指向返回地址。<br />
<img data-src="/img/PWN/fig7.jpg" alt="avatar" /></p>
<h1 id="fig-8"><a class="anchor" href="#fig-8">#</a> Fig 8.</h1>
<p>再将返回地址从栈内弹出，并存到 eip 寄存器内。这样调用函数（caller）的 eip（指令）信息得以恢复。<br />
将被调用函数的返回地址弹出栈外，并存到 eip 寄存器内<br />
至此调用函数（caller）的函数状态就全部恢复了，之后就是继续执行调用函数的指令了。<br />
<img data-src="/img/PWN/fig8.jpg" alt="avatar" /></p>

  </div>

   <footer>

    <div class="meta">
  <span class="item">
    <span class="icon">
      <i class="ic i-calendar-check"></i>
    </span>
    <span class="text">Edited on</span>
    <time title="Modified: 2021-12-01 09:05:47" itemprop="dateModified" datetime="2021-12-01T09:05:47+08:00">2021-12-01</time>
  </span>
  <span id="pwn/" class="item leancloud_visitors" data-flag-title="pwn 学习 (1)" title="Views">
      <span class="icon">
        <i class="ic i-eye"></i>
      </span>
      <span class="text">Views</span>
      <span class="leancloud-visitors-count"></span>
      <span class="text">times</span>
  </span>
</div>

      
<div class="reward">
  <button><i class="ic i-heartbeat"></i> Donate</button>
  <p>Give me a cup of [coffee]~(￣▽￣)~*</p>
  <div id="qr">
      
      <div>
        <img data-src="/images/wechatpay.png" alt="cheuncey Zhang WeChat Pay">
        <p>WeChat Pay</p>
      </div>
      
      <div>
        <img data-src="/images/alipay.png" alt="cheuncey Zhang Alipay">
        <p>Alipay</p>
      </div>
      
      <div>
        <img data-src="/images/paypal.png" alt="cheuncey Zhang PayPal">
        <p>PayPal</p>
      </div>
  </div>
</div>

      

<div id="copyright">
<ul>
  <li class="author">
    <strong>Post author:  </strong>cheuncey Zhang <i class="ic i-at"><em>@</em></i>Canary's Blog
  </li>
  <li class="link">
    <strong>Post link: </strong>
    <a href="https://zephyr-cyber.github.io.git/pwn/" title="pwn 学习 (1)">https://zephyr-cyber.github.io.git/pwn/</a>
  </li>
  <li class="license">
    <strong>Copyright Notice:  </strong>All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC9kZWVkLnpo"><i class="ic i-creative-commons"><em>(CC)</em></i>BY-NC-SA</span> unless stating additionally.
  </li>
</ul>
</div>

  </footer>

</article>

  </div>
  

<div class="post-nav">
    <div class="item left">
      

  <a href="/crypto/" itemprop="url" rel="prev" data-background-image="https:&#x2F;&#x2F;cdn.jsdelivr.net&#x2F;gh&#x2F;zephyr-cyber&#x2F;Blog-Gallery@main&#x2F;&#x2F;blog-img&#x2F;50410-OredakeHaireruKakushiDungeon-PC-Wallpaper.jpg" title="crypto">
  <span class="type">Previous Post</span>
  <span class="category"><i class="ic i-flag"></i> </span>
  <h3>crypto</h3>
  </a>

    </div>
    <div class="item right">
      

  <a href="/reverse/" itemprop="url" rel="next" data-background-image="https:&#x2F;&#x2F;cdn.jsdelivr.net&#x2F;gh&#x2F;zephyr-cyber&#x2F;Blog-Gallery@main&#x2F;&#x2F;blog-img&#x2F;pic4.jpg" title="学习Reverse">
  <span class="type">Next Post</span>
  <span class="category"><i class="ic i-flag"></i> Reverse</span>
  <h3>学习Reverse</h3>
  </a>

    </div>
</div>

  
  <div class="wrap" id="comments"></div>


        </div>
        <div id="sidebar">
          

<div class="inner">

  <div class="panels">
    <div class="inner">
      <div class="contents panel pjax" data-title="Contents">
          <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#pwn%E5%AD%A6%E4%B9%A01"><span class="toc-number">1.</span> <span class="toc-text"> pwn 学习 1</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-1%E5%87%BD%E6%95%B0%E8%B0%83%E7%94%A8%E5%8F%91%E7%94%9F%E5%92%8C%E7%BB%93%E6%9D%9F%E6%97%B6%E8%B0%83%E7%94%A8%E6%A0%88%E7%9A%84%E5%8F%98%E5%8C%96"><span class="toc-number">2.</span> <span class="toc-text"> Fig 1. 函数调用发生和结束时调用栈的变化</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-2%E5%B0%86%E8%A2%AB%E8%B0%83%E7%94%A8%E5%87%BD%E6%95%B0%E7%9A%84%E5%8F%82%E6%95%B0%E5%8E%8B%E5%85%A5%E6%A0%88%E5%86%85"><span class="toc-number">3.</span> <span class="toc-text"> Fig 2. 将被调用函数的参数压入栈内</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-3%E5%B0%86%E8%A2%AB%E8%B0%83%E7%94%A8%E5%87%BD%E6%95%B0%E7%9A%84%E8%BF%94%E5%9B%9E%E5%9C%B0%E5%9D%80%E5%8E%8B%E5%85%A5%E6%A0%88%E5%86%85"><span class="toc-number">4.</span> <span class="toc-text"> Fig 3. 将被调用函数的返回地址压入栈内</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-4%E5%B0%86%E8%B0%83%E7%94%A8%E5%87%BD%E6%95%B0%E7%9A%84%E5%9F%BA%E5%9C%B0%E5%9D%80ebp%E5%8E%8B%E5%85%A5%E6%A0%88%E5%86%85%E5%B9%B6%E5%B0%86%E5%BD%93%E5%89%8D%E6%A0%88%E9%A1%B6%E5%9C%B0%E5%9D%80%E4%BC%A0%E5%88%B0-ebp-%E5%AF%84%E5%AD%98%E5%99%A8%E5%86%85"><span class="toc-number">5.</span> <span class="toc-text"> Fig 4. 将调用函数的基地址（ebp）压入栈内，并将当前栈顶地址传到 ebp 寄存器内</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-5%E5%B0%86%E8%A2%AB%E8%B0%83%E7%94%A8%E5%87%BD%E6%95%B0%E7%9A%84%E5%B1%80%E9%83%A8%E5%8F%98%E9%87%8F%E5%8E%8B%E5%85%A5%E6%A0%88%E5%86%85"><span class="toc-number">6.</span> <span class="toc-text"> Fig 5. 将被调用函数的局部变量压入栈内</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-6%E5%B0%86%E8%A2%AB%E8%B0%83%E7%94%A8%E5%87%BD%E6%95%B0%E7%9A%84%E5%B1%80%E9%83%A8%E5%8F%98%E9%87%8F%E5%BC%B9%E5%87%BA%E6%A0%88%E5%A4%96"><span class="toc-number">7.</span> <span class="toc-text"> Fig 6. 将被调用函数的局部变量弹出栈外</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-7"><span class="toc-number">8.</span> <span class="toc-text"> Fig 7.</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#fig-8"><span class="toc-number">9.</span> <span class="toc-text"> Fig 8.</span></a></li></ol>
      </div>
      <div class="related panel pjax" data-title="Related">
      </div>
      <div class="overview panel" data-title="Overview">
        <div class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <img class="image" itemprop="image" alt="cheuncey Zhang"
      data-src="https://cdn.jsdelivr.net/gh/zephyr-cyber/Blog-Gallery@main//blog-img/16f8bec9f7fbb60bf0c3a1d2fa12affd.jpeg">
  <p class="name" itemprop="name">cheuncey Zhang</p>
  <div class="description" itemprop="description">刻意练习</div>
</div>

<nav class="state">
    <div class="item posts">
      <a href="/archives/">
        <span class="count">49</span>
        <span class="name">posts</span>
      </a>
    </div>
    <div class="item categories">
      <a href="/categories/">
        <span class="count">20</span>
        <span class="name">categories</span>
      </a>
    </div>
    <div class="item tags">
      <a href="/tags/">
        <span class="count">16</span>
        <span class="name">tags</span>
      </a>
    </div>
</nav>

<div class="social">
      <span class="exturl item github" data-url="aHR0cHM6Ly96ZXBoeXItY3liZXIuZ2l0aHViLmlv" title="https:&#x2F;&#x2F;zephyr-cyber.github.io"><i class="ic i-github"></i></span>
      <span class="exturl item twitter" data-url="aHR0cHM6Ly90d2l0dGVyLmNvbS8=" title="https:&#x2F;&#x2F;twitter.com&#x2F;"><i class="ic i-twitter"></i></span>
      <span class="exturl item zhihu" data-url="aHR0cHM6Ly93d3cuemhpaHUuY29tL3Blb3BsZS8=" title="https:&#x2F;&#x2F;www.zhihu.com&#x2F;people&#x2F;"><i class="ic i-zhihu"></i></span>
      <span class="exturl item music" data-url="aHR0cHM6Ly9tdXNpYy4xNjMuY29tLyMvbXkvbS9tdXNpYy9wbGF5bGlzdD9pZD0yMjI2MDQ2MDI3" title="https:&#x2F;&#x2F;music.163.com&#x2F;#&#x2F;my&#x2F;m&#x2F;music&#x2F;playlist?id&#x3D;2226046027"><i class="ic i-cloud-music"></i></span>
      <span class="exturl item weibo" data-url="aHR0cHM6Ly93ZWliby5jb20v" title="https:&#x2F;&#x2F;weibo.com&#x2F;"><i class="ic i-weibo"></i></span>
      <span class="exturl item about" data-url="aHR0cHM6Ly9hYm91dC5tZS8=" title="https:&#x2F;&#x2F;about.me&#x2F;"><i class="ic i-address-card"></i></span>
      <span class="exturl item email" data-url="bWFpbHRvOjEzMjc4MzcwMzFAcXEuY29tLmNvbQ==" title="mailto:1327837031@qq.com.com"><i class="ic i-envelope"></i></span>
      <span class="exturl item facebook" data-url="aHR0cHM6Ly93d3cuZmFjZWJvb2suY29tLw==" title="https:&#x2F;&#x2F;www.facebook.com&#x2F;"><i class="ic i-facebook"></i></span>
      <span class="exturl item stackoverflow" data-url="aHR0cHM6Ly9zdGFja292ZXJmbG93LmNvbS8=" title="https:&#x2F;&#x2F;stackoverflow.com&#x2F;"><i class="ic i-stack-overflow "#1e88e5""></i></span>
      <span class="exturl item youtube" data-url="aHR0cHM6Ly95b3V0dWJlLmNvbS8=" title="https:&#x2F;&#x2F;youtube.com&#x2F;"><i class="ic i-youtube  "#e60026""></i></span>
      <span class="exturl item instagram" data-url="aHR0cHM6Ly9pbnN0YWdyYW0uY29tLw==" title="https:&#x2F;&#x2F;instagram.com&#x2F;"><i class="ic i-instagram "#1e88e5""></i></span>
      <span class="exturl item skype" data-url="c2t5cGU6MTIzP2NhbGx8Y2hhdA==" title="skype:123?call|chat"><i class="ic i-skype "#1e88e5""></i></span>
      <span class="exturl item douban" data-url="aHR0cHM6Ly93d3cuZG91YmFuLmNvbS9wZW9wbGUv" title="https:&#x2F;&#x2F;www.douban.com&#x2F;people&#x2F;"><i class="ic i-douban "#191717""></i></span>
</div>

<ul class="menu">
  
    
  <li class="item">
    <a href="/" rel="section"><i class="ic i-home"></i>Home</a>
  </li>

    
  <li class="item">
    <a href="/about/" rel="section"><i class="ic i-user"></i>About</a>
  </li>

        
  <li class="item dropdown">
      <a href="javascript:void(0);"><i class="ic i-feather"></i>Posts</a>
    <ul class="submenu">

        
  <li class="item">
    <a href="/archives/" rel="section"><i class="ic i-list-alt"></i>Archives</a>
  </li>

        
  <li class="item">
    <a href="/categories/" rel="section"><i class="ic i-th"></i>Categories</a>
  </li>

        
  <li class="item">
    <a href="/tags/" rel="section"><i class="ic i-tags"></i>Tags</a>
  </li>

  </ul>
    
  <li class="item">
    <a href="/friends/" rel="section"><i class="ic i-heart"></i>Friends</a>
  </li>

    
  <li class="item">
    <a href="/films/" rel="section"><i class="ic i-heart"></i>films</a>
  </li>

    
  <li class="item">
    <a href="/fun-links/" rel="section"><i class="ic i-android"></i>fun-links</a>
  </li>


</ul>

      </div>
    </div>
  </div>

  <ul id="quick">
    <li class="prev pjax">
        <a href="/crypto/" rel="prev" title="Previous Post"><i class="ic i-chevron-left"></i></a>
    </li>
    <li class="up"><i class="ic i-arrow-up"></i></li>
    <li class="down"><i class="ic i-arrow-down"></i></li>
    <li class="next pjax">
        <a href="/reverse/" rel="next" title="Next Post"><i class="ic i-chevron-right"></i></a>
    </li>
    <li class="percent"></li>
  </ul>
</div>


        </div>
        <div class="dimmer"></div>
      </div>
    </main>
    <footer id="footer">
      <div class="inner">
        <div class="widgets">
          
<div class="rpost pjax">
  <h2>Random Posts</h2>
  <ul>
      
  <li class="item">
    
<div class="breadcrumb">
</div>

    <span><a href="/code-highlight/" title="Code Highlight Style test">Code Highlight Style test</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
<a href="/categories/computer-science/" title="In computer-science">computer-science</a>
<i class="ic i-angle-right"></i>
<a href="/categories/computer-science/Web/" title="In Web">Web</a>
</div>

    <span><a href="/computer-science/Web/Web/" title="web学习">web学习</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
<a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%A7%91%E5%AD%A6/" title="In 计算机科学">计算机科学</a>
<i class="ic i-angle-right"></i>
<a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%A7%91%E5%AD%A6/%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%9D%82%E8%B0%88/" title="In 二进制杂谈">二进制杂谈</a>
<i class="ic i-angle-right"></i>
<a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%A7%91%E5%AD%A6/%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%9D%82%E8%B0%88/Theme-Shoka-Documentation/" title="In Theme Shoka Documentation">Theme Shoka Documentation</a>
</div>

    <span><a href="/computer-science/note/theme-shoka-doc/config/" title="Step.2 基本配置">Step.2 基本配置</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
</div>

    <span><a href="/BUGKUmisc/" title="bugku-MISC">bugku-MISC</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
</div>

    <span><a href="/images/" title="Images">Images</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
</div>

    <span><span class="exturl" data-url="aHR0cDovL3d3dy5nb29nbGUuY29tLw==" title="www.google.com">www.google.com<i class="ic i-link-alt"></i></span></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
<a href="/categories/computer-science/" title="In computer-science">computer-science</a>
<i class="ic i-angle-right"></i>
<a href="/categories/computer-science/Crypto/" title="In Crypto">Crypto</a>
</div>

    <span><a href="/computer-science/Crypto/Crypto/" title="Crypto">Crypto</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
<a href="/categories/computer-science/" title="In computer-science">computer-science</a>
<i class="ic i-angle-right"></i>
<a href="/categories/computer-science/Pwn/" title="In Pwn">Pwn</a>
</div>

    <span><a href="/computer-science/Pwn/pwn4/" title="pwn4-stack pivoting">pwn4-stack pivoting</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
</div>

    <span><a href="/accumulate/" title="accumulate">accumulate</a></span>
  </li>

      
  <li class="item">
    
<div class="breadcrumb">
<a href="/categories/computer-science/" title="In computer-science">computer-science</a>
<i class="ic i-angle-right"></i>
<a href="/categories/computer-science/Reverse/" title="In Reverse">Reverse</a>
</div>

    <span><a href="/computer-science/Reverse/reverse2/" title="学习Reverse2">学习Reverse2</a></span>
  </li>

  </ul>
</div>
<div>
  <h2>Recent Comments</h2>
  <ul class="leancloud-recent-comment"></ul>
</div>

        </div>
        <div class="status">
  <div class="copyright">
    
    &copy; 2010 – 
    <span itemprop="copyrightYear">2022</span>
    <span class="with-love">
      <i class="ic i-sakura rotate"></i>
    </span>
    <span class="author" itemprop="copyrightHolder">cheuncey Zhang @ Canary</span>
  </div>
  <div class="count">
    <span class="post-meta-item-icon">
      <i class="ic i-chart-area"></i>
    </span>
    <span title="Symbols count total">166k words</span>

    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="ic i-coffee"></i>
    </span>
    <span title="Reading time total">2:31</span>
  </div>
  <div class="powered-by">
    Powered by <span class="exturl" data-url="aHR0cHM6Ly96ZXBoeXItY3liZXIuZ2l0aHViLmlv">Canary</span> & Inspire.<span class="exturl" data-url="aHR0cHM6Ly96ZXBoeXItY3liZXIuZ2l0aHViLmlv">taotaotao!</span>
  </div>
</div>

      </div>
    </footer>
  </div>
<script data-config type="text/javascript">
  var LOCAL = {
    path: 'pwn/',
    favicon: {
      show: "（●´3｀●）Goooood",
      hide: "(´Д｀)Booooom"
    },
    search : {
      placeholder: "Search for Posts",
      empty: "We didn't find any results for the search: ${query}",
      stats: "${hits} results found in ${time} ms"
    },
    valine: true,fancybox: true,
    copyright: 'Copied to clipboard successfully! <br> All articles in this blog are licensed under <i class="ic i-creative-commons"></i>BY-NC-SA.',
    ignores : [
      function(uri) {
        return uri.includes('#');
      },
      function(uri) {
        return new RegExp(LOCAL.path+"$").test(uri);
      }
    ]
  };
</script>

<script src="https://cdn.polyfill.io/v2/polyfill.js"></script>

<script src="//cdn.jsdelivr.net/combine/npm/pace-js@1.0.2/pace.min.js,npm/pjax@0.2.8/pjax.min.js,npm/whatwg-fetch@3.4.0/dist/fetch.umd.min.js,npm/animejs@3.2.0/lib/anime.min.js,npm/algoliasearch@4/dist/algoliasearch-lite.umd.js,npm/instantsearch.js@4/dist/instantsearch.production.min.js,npm/lozad@1/dist/lozad.min.js,npm/quicklink@2/dist/quicklink.umd.js"></script>

<script src="/js/app.js?v=0.2.5"></script>




</body>
</html>
